It is sometimes the case an attacker knows one host/port pair in the connection. In the example above it would be www.webserver.com:80. This is mostly useless in this context because http tends to keep short lived connections, unless the Keep-alive option is used.

The attack then goes like this.

The attack starts bruteforcing ICMP Destination Unreachable Messages (Port Unreachable), for the source port of the client that he doesn’t know. He sends these ICMP messages to either the client or the server. After enough bruteforcing, the correct host/port pair is found, and the TCP Connection is dropped.

Historically, client ports were chosen deterministically, so you really only had to brute force a thousand or two ports. It was a very successful attack and a known protocol problem in TCP/IP.

This type of attack I suspect was a specific attack that Mudge/L0pht was thinking about when he talked about ‘being able to take down the internet in 30 minutes’. Also written was a tool by ADM that I think implemented this type of attack against critical internet infrastructure.

Today, everyone has broadband, so these types of attacks are easier to implement. Also more common is for networks to filter ICMP messages, so this type of attack is less effective.